GDPR implementation in Romania

Romania

On 25 May 2018 the General Data Protection Regulation (GDPR) came into force in the EU. As a result, the Romanian Parliament and the Romanian Data Protection Authority (RDPA), had to create legislation to implement the GDPR in Romania. Law No. 129/2018 (amending Law No. 102/2005 on RDPA functioning, and repealing Law No. 677/2001 which implemented the Data Protection Directive 95/46 in Romania, hereinafter Law No. 129/2018) was enacted, effective as of 24 June 2018.

Under Law No. 129/2018, the powers of the RDPA to oversee the implementation of the GDPR in Romania have been strengthened, with the RDPA being granted the right to conduct unannounced investigations at controller or processor premises; in cases of obstruction, the RDPA is entitled to obtain a judicial authorization from a Bucharest Court of Appeal judge to enter such premises, without any prior summoning. Furthermore, under Law No. 129/2018, the maximum number of employees of the RDPA was increased from 50 to 85.

The Romanian Parliament also adopted Law No. 190/2018 on the measures for implementing the GDPR (Law No. 190/2018), effective as of 31 July 2018, and relating to the measures necessary for the implementation of certain provisions of the GDPR at national level, such as: processing of genetic, biometric or health concerning data, processing of a national identification number, processing of personal data in an employment context, or the sanctions procedure applicable to public authorities in case of a GDPR breach.

In summary, Law No. 190/2018 allows the public authorities to appoint a sole data protection officer, and provides for such authorities, acting as controller or processor, to face a two-tier sanctioning system, which includes an initial written warning and remedy plan to be completed in no longer than 90 calendar days. If, following a second investigation, the RDPA determines that the measures provided under the remedy plan have not been accomplished, then the authority can be fined. Under Law No. 190/2018, public authorities are liable for a maximum fine of RON 200,000 (approx. EUR 43,000), which is significantly lower than the maximum fines provided under the GDPR.

In addition, the RDPA enacted Decision No. 99/2018 (effective as of 25 May 2018) which allowed for further GDPR implementation measures to be adopted into Romanian law. Decision No. 99/2018 repealed 17 regulations issued by the Romanian Ombudsman between 2002 and 2015, which at that time allowed for the implementation of the Data Protection Directive 95/46. Subsequent GDPR implementations by the RDPA include Decision No. 128/2018 approving the GDPR personal data breach notice form (effective as of 3 July 2018), and Decision No. 133/2018 approving the GDPR complaints procedure applicable with RDPA (effective as of 13 July 2018).

RDPA Decision No. 133/2018 allows a data subject to draft a complaint in either the Romanian or English language for submission to the RDPA, in relation to an alleged breach of the GDPR provisions. This is a significant step forward in comparison with the previous procedures available for complaints before public authorities, which had to be submitted in the Romanian language only.

For any further details in relation to any of the legislation mentioned in this article, please contact Dr. Marius Petroiu.